At the CSA Congress in November, Tim Rains, Director of Trustworthy Computing for Microsoft, sat down with Jim Reavis, our executive director, to talk about the biggest challenges for cloud computing security, and what vendors and customers are doing to help with these challenges.

Said Reavis, “Each day, a growing number of companies decide to leverage cloud computing for important business activities.

There is an immediate and compelling mandate for all of us to become better informed as to how cloud computing functions, its key benefits and considerations to establishing trust.”

My last post introduced the notion that preparation for enterprise cloud processing is comparable to the commands, “On your mark” and “Get set,” that precede the beginning of a race. Until the “GO,” there’s no progress toward the finish line – the payoff. I outlined some security misconceptions that often (unnecessarily) delay the “GO” command, and I offered evidence that we have now succeeded well enough with the “on your mark” and “get set” preparations for cloud security. We have completed our cloud payoff training, and it’s now time to “CLOUD.” It’s time to start the race in the cloud for real enterprise payoffs.

The Cloud Security Alliance (CSA) Congress, held November 16-17 in Orlando, delivered yet another strong regimen for cloud payoff training in a global context, with both commercial and governmental concentrations. The Congress focused on the substantial progress and results that had been achieved in just a few short years.

Practical examples of cloud victories (payoffs captured) illustrated complete cloud security preparation and execution workouts that others could follow without designing their own from scratch. Full instructional programs for the CSA GRC stack were available to the attendees, and sessions highlighted the wide variety of services, architectures and products that delivered the security and trustworthy cloud processing to support real enterprise payoffs. Major cloud providers announced their support for substantial portions of the GRC stack and the public STAR registry. (See previous post for acronym definitions.) That’s one more important milestone in cloud payoff training.

Future Vision

But beyond the payoff victories already achieved, the CSA Congress also included future vision sessions that stretched our thinking about what kind of valuable (secure) services were possible in cloud delivery – with the right kind of cloud payoff training. I participated in a secure cloud B2B panel discussion that covered all aspects of the enterprise supply chain, from finance to HR to billing and payments. These are functions at the very business heart of the enterprise. Only the most well trained cloud services can support these. But the cloud payoff training has already been done, and we are ready to compete for payoffs once the cloud service starter’s pistol is fired.

So, where are you in your cloud payoff training? A lot of hard work has already been done, and we are the (competitive) beneficiaries. We have learned that the value equation in the cloud requires us to combine security with transparency. So, we have changed our cloud payoff training program to succeed with this extended value equation. It is now time to GO! It is now time to CLOUD! The starter has already announced “On your mark …” and “Get set …” When the gun goes off, will you be ready and fully trained to CLOUD? Or will you stumble over the hurdle of cloud security? The cloud payoff training is ready. Are you?

Have you ever been in a race? I ran a lot of races during my competitive track and field career at the U.S. Naval Academy and during the dozen years thereafter. Every one of them started with the commands “On your mark … Get set … GO!” Usually a starter’s pistol would fire on the “GO” command, but it was clear that the race was underway, and all of us were finally off and running for the prize of victory.

I was a pretty good runner, and I won my share of collegiate and post-collegiate races. But I learned very early that no matter how good I was at the “On your mark” part of the command, or how well prepared I was for the “Get set,” what really mattered was the “GO” part of the command. It is the “GO” that makes the race happen and the prize possible. Can you imagine a race where we have only “On your mark … Get set …” and nothing else? The runners (good and bad) would be stuck at the starting line forever. No amount of training or coaching or preparation could deliver any payoff.

The same reality holds true for cloud processing. If we are to reap the benefits promised through the global computing utility model offered by the cloud, then we must get to the “GO” command and start competing for payoffs. To be sure, preparation and planning (“cloud payoff training”) are necessary, but such preparation must not become an excuse for unnecessarily delaying cloud processing as a part of our enterprise IT strategy or for avoiding the cloud altogether.

Clearing the Security Hurdle

The state of cloud security is often mentioned as the hurdle most likely to prevent a “GO” command for enterprise cloud processing. Yet in two recent conferences we saw again that the state of cloud payoff training for secure cloud service delivery and consumption is well able to boost us over that hurdle. In fact, the cloud security preparation already done by early cloud researchers, users and providers can be used to make us all better competitors in the race for payoffs with cloud processing. We have learned and trained well to combine real cloud security capabilities with a dynamic service transparency that delivers “evidence-based confidence that what is claimed to be happening is indeed happening … and nothing else.” [1] This combination has been the ultimate target of our cloud payoff preparations, and we can now declare ourselves “fit” to start the capture of promised cloud service payoffs.

The NIST-sponsored Cloud Computing Forum and Workshop IV offered a variety of updates, orientations, panel discussions and true working team events, all of which were primarily targeted at secure cloud computing for the U.S. government. I participated in one of the more provocative panel discussions entitled “Security Assumption Busters.” Although we dealt with about a dozen different assumptions about cloud security, perhaps the most important one to be busted was the withering notion that “nobody understands my cloud security needs.” The consequence of such a notion leads over and over to what has been termed the “genesis syndrome of cloud security,” that is, the (mistaken) belief that the enterprise must begin its own cloud security journey from scratch. Although it is true that any enterprise can probably find some business or mission need that represents a distinctive characteristic in its cloud security requirements, we have long proceeded past the point where such operational distinctions force us to start our cloud preparations with a root event and a clean slate.

For example, the work of the Cloud Security Alliance (CSA) in preparing a complete cloud Governance, Risk and Compliance (GRC) stack lifts every enterprise well beyond a genesis start. Furthermore, the continuing work of the CSA in the sustained evolution of the Cloud Controls Matrix (CCM), the Consensus Assessments Initiative (CAI), CloudAudit and the capstone CloudTrust Protocol (CTP) means that today we can take advantage of cloud payoff training that will keep us in shape to pursue payoffs with cloud processing tomorrow. In addition to the GRC work, the CSA also supports the drive for cloud payoffs with agile and practical research into a trusted cloud architecture (with CTP-supported transparency), security metrics for a cloud service, cloud data governance, a free and open cloud Security, Trust, and Assurance Registry (STAR) and even a CloudSIRT. Finally, the NIST results themselves that were announced and made available at the NIST forum also provide substantial training material that readies us to compete for cloud payoffs.

The CSA held its own conference shortly after the NIST forum. My next post will be about the additional cloud payoff training regimen presented there.

Continued in Part 2

Mission Statement

To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.